arxiv: v1 [math.nt] 20 Jun 2017

Transcription

1 Pseudorandom number generator based on the Bernoulli map on cubic algebraic integers Asaki Saito 1, and Akihiro Yamaguchi 2 1 Future University Hakodate, Kamedanakano-cho, arxiv: v1 [math.nt] 20 Jun 2017 Hakodate, Hokkaido , Japan 2 Fukuoka Institute of Technology, Wajiro-higashi, Higashi-ku, Fukuoka , Japan (Dated: June 27, 2017) Abstract We develop a method for generating pseudorandom binary sequences using the Bernoulli map on cubic algebraic integers. The distinguishing characteristic of our generator is that it generates chaotic true orbits of the Bernoulli map by exact computation. In particular, we clarify a way to properly prepare a set of initial points (i.e., seeds), which is needed when generating multiple pseudorandom sequences. With this seed selection method, we can distribute the initial points almost uniformly in the unit interval and can also guarantee that the orbits starting from them do not merge. We also report results of a large variety of tests indicating that the generated pseudorandom sequences have good statistical properties as well as an advantage over what is probably the most popular generator, the Mersenne Twister MT PACS numbers: a Electronic address: saito@fun.ac.jp 1

2 I. INTRODUCTION A random sequence is a sequence of numbers that are a typical sample of independently identically distributed random variables, and it cannot be generated by a deterministic algorithm (cf., e.g., Refs. [1, 2]). A pseudorandom sequence, i.e., a computer-generated sequence that appears similar to a random one, is therefore not random at all, but has a wide range of applications, such as Monte Carlo methods, probabilistic algorithms, and cryptography [3]. In order to generate such pseudorandom sequences, various pseudorandom number generators have been proposed, including linear congruential generators [4], linear feedback shift registers [5], and the Mersenne Twister [6]. Of all the generators, MT19937 [6], a version of the Mersenne Twister, is probably the most popular one at this time. MT19937 can produce, at very high speed, a pseudorandom sequence having an astronomically long period of length and having a high-dimensional (623-dimensional) equidistribution property, which makes the generator very useful, especially for Monte Carlo simulations. Even if a generator has these remarkable properties, however, there is no guarantee that independence, which is the greatest characteristic of random sequences, is preferable (cf. Sec. IV B). In this paper, we deal with the issue of how we generate pseudorandom sequences having the best possible statistical properties even if such generation increases the computational cost to some extent. Among random sequences, the most fundamental ones are (uniform) random binary sequences. One of the mathematically simplest and soundest ways to generate (pseudo-) random binary sequences is to use the Bernoulli map. Also known as the doubling map, the dyadic map, or the 2x modulo 1 map, the Bernoulli map is a map on the half-open unit interval [0, 1) given by 2x if x [0, 1/2) M B (x) = 2x 1 if x [1/2, 1). Note that the repeated tossing of a fair coin is modeled by the one-sided Bernoulli shift on {0, 1} N with0and1havingequalweight1/2,andthisbernoullishiftismeasure-theoretically isomorphic to M B (cf., e.g., Ref. [7]). Thus, M B can produce binary sequences equivalent to those obtained by tossing a fair coin. However, it is well known that one cannot simulate M B with conventional simulation methods such as those using double-precision binary floatingpoint numbers or arbitrary-precision rational numbers(see, e.g., Refs.[8, 9]). This is because, 2

3 for M B, finite binary decimals on [0, 1) are eventually fixed points (i.e., points that reach the fixed point at x = 0 after finitely many iterations) and because rational numbers on [0, 1) are eventually periodic points (i.e., points that reach a periodic point after finitely many iterations). For this reason, a computational method that realizes pseudorandom number generation using M B has not been proposed [10] (except for our previous study [11]), although pseudorandom number generators based on chaotic dynamics have been very widely studied for many decades [12 14]. On the other hand, orbit computations using algebraic numbers other than rational ones have been performed in the fields of number theory and arithmetic dynamics (e.g., Refs. [15 19]). Also, by using our methods to achieve exact simulations of piecewise linear and linear fractional maps [20, 21], one can generate errorless true orbits displaying the same statistical properties as typical orbits of M B (as well as those of the tent map and the baker s transformation; cf. [10]). In particular, by using true orbits on quadratic algebraic integers, we succeeded in realizing a pseudorandom number generator using M B [11]. To our knowledge, the generator of Ref. [11] is the only one that has a direct connection to the repeated tossing of a fair coin, but we can expect that we can establish such generators having good statistical properties also by using algebraic integers of degree three or more. In order to realize such generators, however, we particularly need to resolve the issue described below. When proposing a pseudorandom number generator, it is desirable to simultaneously disclose how one can properly perform seed selection, especially in the case where one needs multiple seeds to generate more than one pseudorandom sequence. In particular, such a method for selecting initial points (i.e., seeds) is indispensable for a generator based on true orbits: In true orbit computations, the longer a true orbit, the higher the computational cost of generating it. Therefore, the computational cost can be markedly lowered by generating a number of relatively short true orbits. We could establish such a seed selection method in the case of quadratic algebraic integers, but algebraic numbers of different degrees are quite distinct from each other, and it is unclear even whether such a seed selection method exists in the case of algebraic integers of degree three or more. In this paper, we realize a pseudorandom number generator using chaotic true orbits of the Bernoulli map on cubic algebraic integers. We also devise, for the cubic case, a seed selection method for generating multiple pseudorandom binary sequences. Moreover, we demonstrate the ability of our generator by performing two kinds of computer experiments: 3

4 extensive statistical testing and a comparison with MT II. PROPOSED PSEUDORANDOM NUMBER GENERATOR In this study, we use cubic algebraic integers to simulate the Bernoulli map M B. A cubic algebraic integer is a complex number that is a root of a monic irreducible cubic polynomial x 3 +bx 2 +cx+d with b,c,d Z (see, e.g., Ref. [22] for a detailed explanation of algebraic integers). M B maps any cubic algebraic integer in the open unit interval (0,1) to a cubic algebraic integer in (0, 1). Let us introduce two sets, S and S, and a map π from S to S. Let S be the set of all (b,c,d) Z 3 satisfying the following three conditions: (i) b 2 3c 0 (ii) d < 0 (iii) 1+b+c+d > 0 Figure 1 shows part of S. If we consider a function f : R R, given by f(x) = x 3 +bx 2 + cx+d with (b,c,d) S, we see from (i) that f is strictly monotonically increasing. Thus, f has a unique real root, denoted by α. We also see from (ii) and (iii) that f(0) < 0 and f(1) > 0, which implies α (0,1). Since α / Z, we see that α is a cubic algebraic integer. Also, let S be the set of all cubic algebraic integers in (0,1) that are roots of x 3 +bx 2 +cx+d with (b,c,d) S. We can define a map π from S to S by assigning each (b,c,d) S the unique real root α S of x 3 +bx 2 +cx+d. It is easy to see that π : S S is a bijection. In the following, we represent α S with (b,c,d) = π 1 (α) S. M B maps α S to α = 2α mod 1. As already mentioned, α is a cubic algebraic integer in (0,1). Moreover, we can see α S as follows. Let (b,c,d) be the representation of α, and let x 3 +b x 2 +c x+d be the minimal polynomial of α. Then, the coefficients b, c, d are given as follows: If α (0,1/2), b b c = c. (1a) d d 4

5 10 5 c d b 0 5 FIG. 1: Part of S. The dots represent elements of S. If α (1/2,1), b c d = b c d 1 (1b) Equation (1a) (resp. Eq. (1b)) is obtained by substituting α = α /2 (resp. α = (α +1)/2) into x 3 + bx 2 +cx+d = 0. It is easy to confirm that (b,c,d ) satisfies the conditions (i), (ii), and (iii), which implies α S. Equation (1) gives the explicit form of π 1 M B π, i.e., the transformation on S corresponding to M B. We denote this transformation by M B. Note that M B gives the representation (b,c,d ) of α from the representation (b,c,d) of α. This transformation is exactly computable by using only integer arithmetic. Incidentally, we see easily that (b, c, d) with b 2 3c < 0 is mapped to (b,c,d ) with b 2 3c < 0, and that (b,c,d) with b 2 3c = 0 is mapped to (b,c,d ) with b 2 3c = 0. One has to exactly determine whether a given α S is in (0,1/2) or (1/2,1) in order to generate true orbits of M B on S, thereby obtaining pseudorandom binary sequences. Let α be represented by (b,c,d) S, and let f(x) = x 3 +bx 2 + cx+d. This determination can be made easily by evaluating the sign of f(1/2). In fact, if f(1/2) > 0, then α (0,1/2); otherwise, i.e., if f(1/2) < 0, then α (1/2,1). To evaluate the sign of f(1/2), it is sufficient to evaluate that of 1 + 2b + 4c + 8d. Therefore, one can exactly determine whether α (0, 1/2) or not by using only integer arithmetic. Consequently, one can generate a true orbit 5

6 {(b n,c n,d n )} n=0,1,2, of MB starting from an initial point (b 0,c 0,d 0 ) S, where (b n,c n,d n ) = M B n(b 0,c 0,d 0 ). In order to obtain a pseudorandom binary sequence {ǫ n } n=0,1,2,, all one has to do is let ǫ n = 0 if 1+2b n +4c n +8d n > 0 and ǫ n = 1 if 1+2b n +4c n +8d n < 0, in the course of generating a true orbit. III. SEED SELECTION METHOD In this section, we consider how to select initial points (i.e., seeds). Because α represented by (b,c,d) S is irrational, its binary expansion is guaranteed to be nonperiodic. Thus, one can choose any (b,c,d) S as an initial point in the sense that at least one obtains a nonperiodic binary sequence. It is worth noting that the binary sequence obtained from (b,c,d) S is not only guaranteed to be nonperiodic. In fact, it is widely believed that every irrational algebraic number is a normal number (Borel s conjecture [23]). Recall that α R is said to be normal if, for any integer b 2, every word of length l 1 on the alphabet {0,1,...,b 1} occurs in the base-b expansion of α with asymptotic frequency b l. Also, it is proved that the base-b expansion of any irrational algebraic number cannot have a regularity so simple that it can be generated by a finite automaton [24]. Moreover, our previous studies strongly suggest that the base-b expansion of any irrational algebraic number has the same statistical properties as those of almost all real numbers [11, 20, 21]. For the generation of more than one pseudorandom sequence, it is necessary to prepare an initial point set Ī S. One can consider a variety of conditions that here, we impose the following two conditions (Conditions 1 and 2) on it. Ī should satisfy; Condition 1. The elements of I S corresponding to unit interval. Ī are uniformly distributed in the This condition is for unbiased sampling of initial points and is a natural one also from the viewpoint of applications, such as the Monte Carlo method. However, it is a nontrivial question as to how we can construct Ī satisfying Condition 1, because α depends on (b,c,d) in a very complicated way. In fact, α takes the following complex form: 6

7 If b 2 3c < 0, α = 3 2b3 +9bc 27d+3 3 b 2 c 2 +4c 3 +4b 3 d 18bcd+27d ( b 2 +3c) 3 3 2b 3 +9bc 27d+3 3 b b 2 c 2 +4c 3 +4b 3 d 18bcd+27d 2 3. If b 2 3c = 0, α = 3 2b3 +9bc 27d b 3 3. Condition 2. The orbits starting from the elements of Ī do not merge. Evenifoneselectstwodifferentpointsastheelementsof S, thelatterpartsoftheresulting binary sequences may coincide with each other. In fact, this happens if the two points are on the same orbit or, more generally, if the orbits starting from them merge. When generating multiple pseudorandom sequences, it is desirable that the binary sequences derived from Ī are as different from each other as possible, and it is obviously desirable that Ī satisfies Condition 2. However, in order to realize such an Ī, we need to make it clear how we can select the elements of Ī while avoiding such orbital overlaps. In what follows, we show that we can construct an Ī satisfying Conditions 1 and 2. Concerning Condition 1, the following fact holds. Fact 1. Let c be a sufficiently large positive integer, and let Ī b,c = { (b,c,d) S d { 1, 2,, (b+c)} }. (3) Then, the elements of I b,c S corresponding to Īb,c are distributed almost uniformly (equidistantly) in the unit interval. Proof. Since b 3c, b c holds for sufficiently large c. Let (b,c,d) Īb,c, α d = π(b,c,d), and f d (x) = x 3 + bx 2 + cx + d. We see that f 1 (0) = 1, lim c f 1 (2/c) = 1, lim c f (b+c) (1 2/c) = 1, and f (b+c) (1) = 1. Thus, we have lim c α 1 = 0 and lim c α (b+c) = 1. We also see easily that α d < α d 1 and f d (α d 1 ) = 1 hold for d { 1, 2,, (b+c)+1}. Let d = α d 1 α d (d { 1, 2,, (b+c)+1}). By the mean value theorem, there exists β (α d,α d 1 ) such that f d (β) = 1. It is easy to see d 7

8 that 2 b +c < f d (x) < 3+2 b +c holds for x (0,1). Thus, for sufficiently large c, we have (3+2 b +c) 1 < d < ( 2 b +c) 1, which implies ( 1+ 2 b +3 ) 1 < ( d c c < 1 2 b ) 1. 1 c We note that x+2 x 1 holds for x 1 and that x 1 2x+3 holds for 1/2 x 1. Thus, for sufficiently large c, we have 1 2 b +3 c < d 4 b < 1+ c 1 c, which implies lim max c d { 1,, (b+c)+1} c d 1 1 = 0. Therefore, if we take a sufficiently large c, the elements of I b,c are distributed across the unit interval almost equidistantly, with distances approximately equal to c 1. An important characteristic of MB on S (or equivalently, M B on S) when considering Ī satisfying Condition 2 is its injectivity. The inverse image of (b,c,d ) S under M B is uniquely determined if it exists: If b (or c or d ) is even, (b,c,d ) is derived from Eq. (1a). If odd, it is derived from Eq. (1b). Let us call an element of S a source point if it does not have an inverse image in S. It is clear that two different source points do not exist on the same orbit. Also, the injectivity prevents the merging of orbits starting from different source points. Concerning the source points, the following fact holds. Fact 2. There is no inverse image for (b,c,d) S if and only if one of the following conditions holds: (i) b, c, d are neither all even nor all odd. (ii) b, c, d are all even, but c 0 (mod 4) or d 0 (mod 8). (iii) b, c, d are all odd, but 2b+c 1 (mod 4) or b c+d 1 (mod 8). Proof. If (b,c,d) S has an inverse image, then by Eq. (1) b, c, d are either all even or all odd. We can easily verify that a necessary and sufficient condition for (b,c,d) S with b, c, d all even to have an inverse image is that both c 0 (mod 4) and d 0 (mod 8) hold. Similarly, we can verify that a necessary and sufficient condition for (b,c,d) S with b, c, d all odd to have an inverse image is that both 2b+c 1 (mod 4) and b c+d 1 (mod 8) 8

9 hold. Therefore, (b,c,d) S has no inverse image if and only if one of the conditions (i) (iii) holds. The orbits starting from the elements of Ī do not merge if one lets Ī consist of only source points. Consequently, on the basis of Facts 1 and 2, we can construct Ī satisfying Conditions 1 and 2: The simplest way is to choose b to be an even integer and c to be a large positive odd integer, or b to be an odd integer and c to be a large positive even integer, and to let Ī be the Īb,c given by Eq. (3). Note, however, that consisting of only source points is not a necessary condition for Ī to be free from orbital mergers. For example, Īb,c with b = 0 and c = 8 contains a point that is not a source point, but mergers do not occur with Ī0,8 (cf. next paragraph). Condition 2 is equivalent to the condition that latter parts of the binary sequences derived from Ī do not coincide, which in turn is equivalent to the condition that, even if each of the binary sequences is transformed by any multi-bit shift operation that is expressible as a map x 2 n x mod 1 (n Z 0 ), none of the resulting sequences are identical. With computer assistance, one can reveal that many, but not all, of Īb,c have a much more desirable property than Condition 2. Namely, for many of Īb,c, Q(α) Q(β) holds for all α,β I b,c with α β (i.e., each element of I b,c belongs to a different cubic field). In particular, we experimentally confirmed that all of I b,c with b = 0 and c in 1 c have this desirable property, which leads us to the following conjecture: Conjecture 1. Let c Z >0. Then, Q(α) Q(β) holds for all α,β I 0,c with α β. If I b,c has such a property, the binary sequences derived from Īb,c are significantly different fromeachotherinthefollowingsense: Even ifeachofthebinarysequences istransformedby any operation expressible as a rational map with rational coefficients (except those mapping elements of I b,c to rational numbers), the resulting sequences include no identical sequences. Such operations include not only multi-bit shifts, but a wide variety of operations, e.g., all-bit inversion, which is expressible as the map x 1 x. 9

10 IV. EXPERIMENTAL RESULTS A. Statistical testing We evaluated our generator using three statistical test suites: DIEHARD [25], NIST statistical test suite [26], and TestU01 [27]. We summarize their results in Table I. We performed DIEHARD and NIST tests on the binary sequences of length 10 6 derived from Ī0,1001. For TestU01, we prepared test data as follows: We generated the binary sequencesoflength usingī0, Wethenremovedthefirst32bitsofeachsequence and concatenated the resulting sequences in descending order of d value. We removed the first 32-bit blocks in order to avoid introducing correlations among them, because each of these blocks stores information regarding the position of the initial point. Here we briefly explain the three statistical test suites and report their results. DIEHARD [25] contains 234 statistical tests classified into 18 categories. The results for 6 of the 18 categories are further tested by checking the uniformity of the resulting P- values. (That is, DIEHARD consists of 234 first-level tests and 6 second-level ones.) Using DIEHARD version DOS, Jan 7, 1997, we performed all 240 tests with a significance level of As a result, 238 of the 240 tests were passed. NIST statistical test suite [26] contains 188 first-level tests. In NIST testing, each of 188 first-level tests is performed 10 3 times, and the results of each first-level test are further tested in two ways: (i) The proportion of passing sequences is tested using a significance level of (cf. Ref. [11]). (ii) The uniformity of P-values is tested using a significance level of For this procedure, we used version of the NIST statistical test suite. As a result, 187 of the 188 second-level tests based on the proportion of passing sequences were passed. As for the second-level tests based on the uniformity of P-values, all 188 tests were passed. TestU01 [27] offers several predefined sets of tests, including SmallCrush, Crush, and BigCrush, which consist of 15, 144, and 160 tests, respectively. In TestU01, the result of each test is interpreted as clear failure if the P-value for the test is less than or greater than The result is interpreted as suspicious if the P-value is in [10 10,10 4 ) or (1 10 4, ]. In all other cases, the test is considered as passed. Using version of TestU01, we applied SmallCrush, Crush, and BigCrush to the test data described above. 10

11 TABLE I: Results of statistical testing. Statistical testing Number of: Tests Passed tests Suspicious tests Failed tests DIEHARD First-level tests Second-level tests NIST STS Second-level tests (proportion) Second-level tests (uniformity) TestU01 SmallCrush Crush BigCrush As a result, all tests of SmallCrush, Crush, and BigCrush were passed. Consequently, all tests were passed for NIST s second-level testing based on the uniformity of P-values and TestU01 s SmallCrush, Crush, and BigCrush, while a few tests were failed for DIEHARD and NIST s second-level testing based on the proportion of passing sequences. Note that the numbers of failed tests(i.e., two for DIEHARD and one for NIST s second-level testing based on the proportion of passing sequences) are within relevant ranges because they areclose tothe expected numbers offailedtests (i.e., 2.40 fordiehardand0.29 fornist s second-level testing based on the proportion of passing sequences). From these results, we can confirm that our generator has good statistical properties. B. Comparison with the Mersenne Twister MT19937 Here we attempt a comparison between our generator and MT As described in Sec. I, MT19937 is a highly practical generator that produces, at very high speed, a pseudorandom sequence having a period of length and a 623-dimensional equidistribution property. In spite of these marked characteristics, this generator has been reported to fail linear complexity tests and birthday spacings tests with specific lags [27 29]. This is dueto thefact that thegenerator isbased onalinear recurrence over thetwo-element field F 2 = {0, 1}. MT19937 generates a sequence of 32-bit unsigned integers. In the following, we will 11

12 identify a 32-bit unsigned integer with an element of F Also, we will not distinguish between row and column vectors except in that a vector postmultiplying a matrix will be regarded as a column vector. MT19937 is one of the multiple-recursive matrix methods [30, 31], and any sequence {y n } n=0,1,2, in F 32 2 generated by MT19937 obeys the following recurrence relation (cf. Ref. [29]): y n = y n 227 +Ay n 623 +By n 624, n 624, (4) where y 0,y 1, y 623 are initial vectors, and A and B are matrices with elements in F 2. The explicit forms of A and B are given in Appendix A. From Eq. (4), we can grasp the regularity of the sequence generated by MT For example, the most significant 8 bits of y n and those of y n 227 coincide if an integer n with n 624 satisfies the following two conditions: (a) The inner product of the ith row vector of A and y n 623 equals zero for every i with 1 i 8. (b) The inner product of the second row vector of B and y n 624 equals zero. Note that condition (b) is equivalent to the condition that By n 624 = 0 (cf. the form of B in Appendix A). Let y n = (y n,1,y n,2,,y n,32 ) F 32 2 and Y n = 8 i=1 y n,i2 8 i for n 0. We generated a sequence {y n } n=0,1,2,, of 32-bit unsigned integers using MT19937 [32], and plotted, in Fig. 2, the points (Y n 227,Y n ) for n satisfying conditions (a) and (b). All the points are on the diagonal line Y n = Y n 227, but, obviously, this cannot happen with a random sequence. On the other hand, our generator produced a binary sequence of length 10 7, using (0,1, 1) S as an initial point. Then, by partitioning it into nonoverlapping binary subsequences of length 32, we transformed it into a sequence {y n } n=0,1,2,, of 32-bit unsigned integers. Also for this {y n } n=0,1,2,,312499, we plotted, in Fig. 2, the points (Y n 227,Y n ) for n satisfying conditions (a) and(b), which was similar to what we didfor {y n } n=0,1,2,, obtainedbymt WecanseefromFig.2thatthepointsobtainedfromourpseudorandom sequence are almost uniformly distributed on the square. Although the computational cost of our generator is significantly higher than that of MT19937, our pseudorandom sequence displays the same behavior as true (uniform) random sequences. 12

13 Y n Y n 227 FIG. 2: Plot of the points (Y n 227,Y n ) for n satisfying conditions (a) and (b). Dots represent points obtained from a pseudorandom sequence produced by our generator. Crosses represent those by MT V. CONCLUSION In this paper, we have introduced a pseudorandom number generator using chaotic true orbits of the Bernoulli map on cubic algebraic integers. Although this generator has a high computational cost, it exactly simulates the Bernoulli map that can generate ideal random binary sequences. We also have clarified a seed selection method that can select initial points (i.e., seeds) without bias and can avoid overlaps in latter parts of the pseudorandom sequences derived from them. Moreover, we have obtained experimental results supporting the conjecture that the initial point sets I 0,c with c Z >0 have a more desirable property such that each element of I 0,c belongs to a different cubic field. In order to demonstrate the capabilities of our generator, we have performed two kinds of computer experiments: Firstly, we have tested our generator using three statistical test suites DIEHARD, NIST statistical test suite, and TestU01 and have shown that it has good statistical properties. Secondly, we have examined the independence property of pseudorandom numbers and have clarified an advantage that our generator has over what is probably the most popular generator, the Mersenne Twister MT

14 Acknowledgments We thank Shigeki Akiyama, Shunji Ito, Teturo Kamae, Jun-ichi Tamura, Shin-ichi Yasutomi, and Masamichi Yoshida for their suggestions. This research was supported by JSPS KAKENHI Grant Number 15K

15 Appendix A: Explicit forms of matrices A and B in Eq. (4) In this Appendix, we provide the explicit forms of matrices A and B in the recurrence relation (4) for the Mersenne Twister MT Matrix A: Matrix B:

16 [1] M. Li and P. Vitányi, An Introduction to Kolmogorov Complexity and Its Applications, 2nd ed. (Springer, New York, 1997). [2] H. Sugita, Monte Carlo Method, Random Number, and Pseudorandom Number (Mathematical Society of Japan, Tokyo, 2011). [3] D.E. Knuth, The Art of Computer Programming, 3rd ed. (Addison-Wesley, Reading, MA, 1998), Vol. 2, Chap. 3. [4] D. H. Lehmer, in Proc. 2nd Symp. on Large-Scale Digital Calculating Machinery (Harvard University Press, 1951), p [5] S.W. Golomb, Shift Register Sequences (Aegean Park Press, Laguna Hills, CA, 1982). [6] M. Matsumoto and T. Nishimura, ACM Trans. on Modeling and Computer Simulation 8, 3 (1998). [7] P. Billingsley, Ergodic Theory and Information (Wiley, New York, 1965). [8] E. Atlee Jackson, Perspectives of Nonlinear Dynamics (Cambridge University Press, Cambridge, 1991), Vol. 1, Chap. 4. [9] A. Saito, Prog. Theor. Phys. Supplement 161, 328 (2006). [10] For a similar reason, there has also been no proposed pseudorandom number generator using the tent map on [0, 1] given by M T (x) = 1 2x 1 or the baker s transformation on [0,1) 2 given by ( 2x, y ) M b (x,y) = ( 2 2x 1, y +1 ) 2 if x [0, 1/2) if x [1/2, 1) althoughthesemaps, together withm B, provide(literally) textbookexamplesofchaotic maps. [11] A. Saito and A. Yamaguchi, Chaos 26, (2016). [12] S.M. Ulam and J. von Neumann, Bull. Amer. Math. Soc. 53, 1120 (1947). [13] T.Y. Li and J.A. Yorke, Nonlinear Anal. 2, 473 (1978). [14] S. Oishi and H. Inoue, Trans. IECE Japan E65, 534 (1982). [15] S. Lang and H. Trotter, J. Reine Angew. Math. 255, 112 (1972); Addendum, J. Reine Angew. Math. 267, 219 (1974). [16] F. Vivaldi, Nonlinearity 5, 941 (1992). 16,

17 [17] J.H. Lowenstein, G. Poggiaspalla, and F. Vivaldi, Dynamical Systems 20, 413 (2005). [18] S. Akiyama, Actes des rencontres du CIRM 1, 3 (2009). [19] M. Furukado, S. Ito, A. Saito, J. Tamura, and S. Yasutomi, Experimental Math. 23, 390 (2014). [20] A. Saito and S. Ito, Physica D 268, 100 (2014). [21] A. Saito, S. Yasutomi, J. Tamura, and S. Ito, Chaos 25, (2015). [22] E. Hecke, Lectures on the Theory of Algebraic Numbers (Springer, New York, 1981), Chap. 5. [23] É. Borel, C. R. Acad. Sci. Paris 230, 591 (1950). [24] B. Adamczewski and Y. Bugeaud, Annals of Mathematics 165, 547 (2007). [25] G. Marsaglia, DIEHARD: A battery of tests of randomness, [26] A. Rukhin, J. Soto, J. Nechvatal, M. Smid, E. Barker, S. Leigh, M. Levenson, M. Vangel, D. Banks, A. Heckert, J. Dray, and S. Vo, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, NIST Special Publication Revision 1a (2010). [27] P. L Ecuyer and R. Simard, ACM Trans. Math. Softw. 33, 22 (2007). [28] F. Panneton, P. L Ecuyer, and M. Matsumoto, ACM Trans. Math. Softw. 32, 1 (2006). [29] S. Harase, Math. Comput. Simul. 100, 103 (2014). [30] H. Niederreiter, Linear Algebra Appl. 192, 301 (1993). [31] H. Niederreiter, Finite Fields Appl. 1, 3 (1995). [32] For initialization, we carried out the same procedure as the one adopted in the program available at m-mat/mt/mt2002/codes/mt19937ar.c. 17